Hi all... I have a site with a Silverlight-enabled WebSerivce (.svc file). In that app is also a Silverlight application which references this service.
Now, our website uses multiple headers (to account for the user coming to it with or without the 'www.' subdomain, e.g. mydomain.com and www.mydomain.com). So i put in a clientaccesspolicy.xml file to allow access from the other subdomain (in addition to the web.config change). This all worked fine.
Now, we need to lock it down so that ONLY our domain can access the service... so i modified the clientaccesspolicy.xml file as I thought to allow access only to our two subdomains. However it is still allowing access to other domains. To test this, I did NOT include the domain for our test server, so I would've expected running the Silverlight off the test site would've failed, but it does not; it still gets all the data and works as expected.
What changes do i need to make to clientaccesspolicy.xml to make sure that ONLY our two subdomains can access the service? My XML follows:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://www.mydomain.com"/>
<domain uri="http://mydomain.com"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
EDIT: I did also try restarting both the website, and the whole IIS service (not the physical box) after making the changes, but it still didn't seem to work.